Misc fixes for 1031ee6.

This commit is contained in:
Chris PeBenito 2010-02-08 13:38:48 -05:00
parent 7d2f96783c
commit 27eab81f2f
15 changed files with 171 additions and 193 deletions

View File

@ -1502,24 +1502,6 @@ interface(`files_dontaudit_getattr_boot_dirs',`
dontaudit $1 boot_t:dir getattr; dontaudit $1 boot_t:dir getattr;
') ')
########################################
## <summary>
## List the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_list_boot',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Search the /boot directory. ## Search the /boot directory.
@ -1556,6 +1538,24 @@ interface(`files_dontaudit_search_boot',`
dontaudit $1 boot_t:dir search_dir_perms; dontaudit $1 boot_t:dir search_dir_perms;
') ')
########################################
## <summary>
## List the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_list_boot',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Create directories in /boot ## Create directories in /boot

View File

@ -773,7 +773,6 @@ interface(`apache_list_sys_content',`
') ')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1) files_search_var($1)
') ')

View File

@ -451,7 +451,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
cobbler_search_var_lib(httpd_t) cobbler_search_lib(httpd_t)
') ')
optional_policy(` optional_policy(`

View File

@ -6,11 +6,10 @@
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## The type of the process performing this action. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
# #
#
interface(`bind_initrc_domtrans',` interface(`bind_initrc_domtrans',`
gen_require(` gen_require(`
type named_initrc_exec_t; type named_initrc_exec_t;
@ -209,25 +208,6 @@ interface(`bind_manage_config_dirs',`
manage_dirs_pattern($1, named_conf_t, named_conf_t) manage_dirs_pattern($1, named_conf_t, named_conf_t)
') ')
########################################
## <summary>
## Manage BIND zone files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bind_manage_zone',`
gen_require(`
type named_zone_t;
')
files_search_var($1)
manage_files_pattern($1, named_zone_t, named_zone_t)
')
######################################## ########################################
## <summary> ## <summary>
## Search the BIND cache directory. ## Search the BIND cache directory.
@ -309,6 +289,25 @@ interface(`bind_read_zone',`
read_files_pattern($1, named_zone_t, named_zone_t) read_files_pattern($1, named_zone_t, named_zone_t)
') ')
########################################
## <summary>
## Manage BIND zone files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bind_manage_zone',`
gen_require(`
type named_zone_t;
')
files_search_var($1)
manage_files_pattern($1, named_zone_t, named_zone_t)
')
######################################## ########################################
## <summary> ## <summary>
## Send and receive datagrams to and from named. (Deprecated) ## Send and receive datagrams to and from named. (Deprecated)

View File

@ -1,7 +1,7 @@
/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) /etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) /etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) /var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)

View File

@ -10,6 +10,42 @@
## </p> ## </p>
## </desc> ## </desc>
########################################
## <summary>
## Execute a domain transition to run cobblerd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`cobblerd_domtrans',`
gen_require(`
type cobblerd_t, cobblerd_exec_t;
')
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
')
########################################
## <summary>
## Execute cobblerd server in the cobblerd domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`cobblerd_initrc_domtrans',`
gen_require(`
type cobblerd_initrc_exec_t;
')
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read Cobbler content in /etc ## Read Cobbler content in /etc
@ -48,6 +84,25 @@ interface(`cobbler_dontaudit_rw_log',`
dontaudit $1 cobbler_var_log_t:file rw_file_perms; dontaudit $1 cobbler_var_log_t:file rw_file_perms;
') ')
########################################
## <summary>
## Search cobbler dirs in /var/lib
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cobbler_search_lib',`
gen_require(`
type cobbler_var_lib_t;
')
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
######################################## ########################################
## <summary> ## <summary>
## Read cobbler files in /var/lib ## Read cobbler files in /var/lib
@ -58,7 +113,7 @@ interface(`cobbler_dontaudit_rw_log',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`cobbler_read_var_lib_files',` interface(`cobbler_read_lib_files',`
gen_require(` gen_require(`
type cobbler_var_lib_t; type cobbler_var_lib_t;
') ')
@ -77,7 +132,7 @@ interface(`cobbler_read_var_lib_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`cobbler_manage_var_lib_files',` interface(`cobbler_manage_lib_files',`
gen_require(` gen_require(`
type cobbler_var_lib_t; type cobbler_var_lib_t;
') ')
@ -86,61 +141,6 @@ interface(`cobbler_manage_var_lib_files',`
files_search_var_lib($1) files_search_var_lib($1)
') ')
########################################
## <summary>
## Search cobbler dirs in /var/lib
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cobbler_search_var_lib',`
gen_require(`
type cobbler_var_lib_t;
')
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Execute a domain transition to run cobblerd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`cobblerd_domtrans',`
gen_require(`
type cobblerd_t, cobblerd_exec_t;
')
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
')
########################################
## <summary>
## Execute cobblerd server in the cobblerd domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`cobblerd_initrc_domtrans',`
gen_require(`
type cobblerd_initrc_exec_t;
')
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate

View File

@ -52,6 +52,8 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
kernel_read_system_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t) corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t) corecmd_exec_shell(cobblerd_t)
@ -67,13 +69,9 @@ corenet_tcp_sendrecv_generic_port(cobblerd_t)
dev_read_urand(cobblerd_t) dev_read_urand(cobblerd_t)
files_read_usr_files(cobblerd_t) files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t) files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t) files_list_tmp(cobblerd_t)
kernel_read_system_state(cobblerd_t)
miscfiles_read_localization(cobblerd_t) miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t) miscfiles_read_public_files(cobblerd_t)
@ -119,6 +117,5 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
tftp_manage_tftpdir_dirs(cobblerd_t) tftp_manage_rw_content(cobblerd_t)
tftp_manage_tftpdir_files(cobblerd_t)
') ')

View File

@ -1,4 +1,4 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)

View File

@ -96,6 +96,44 @@ interface(`dnsmasq_kill',`
allow $1 dnsmasq_t:process sigkill; allow $1 dnsmasq_t:process sigkill;
') ')
########################################
## <summary>
## Read dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`dnsmasq_read_config',`
gen_require(`
type dnsmasq_etc_t;
')
allow $1 dnsmasq_etc_t:file read_file_perms;
files_search_etc($1)
')
########################################
## <summary>
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`dnsmasq_write_config',`
gen_require(`
type dnsmasq_etc_t;
')
allow $1 dnsmasq_etc_t:file write_file_perms;
files_search_etc($1)
')
######################################## ########################################
## <summary> ## <summary>
## Delete dnsmasq pid files ## Delete dnsmasq pid files
@ -134,44 +172,6 @@ interface(`dnsmasq_read_pid_files',`
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
') ')
########################################
## <summary>
## Read dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`dnsmasq_read_config',`
gen_require(`
type dnsmasq_etc_t;
')
read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
files_search_etc($1)
')
########################################
## <summary>
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`dnsmasq_write_config',`
gen_require(`
type dnsmasq_etc_t;
')
write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
files_search_etc($1)
')
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate

View File

@ -37,7 +37,7 @@ allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms;
read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
# dhcp leases # dhcp leases
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
@ -71,6 +71,7 @@ dev_read_urand(dnsmasq_t)
domain_use_interactive_fds(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t)
files_read_etc_files(dnsmasq_t)
files_read_etc_runtime_files(dnsmasq_t) files_read_etc_runtime_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t)

View File

@ -119,7 +119,7 @@ interface(`rsync_read_config',`
type rsync_etc_t; type rsync_etc_t;
') ')
read_files_pattern($1, rsync_etc_t, rsync_etc_t) allow $1 rsync_etc_t:file read_file_perms;
files_search_etc($1) files_search_etc($1)
') ')
@ -138,6 +138,6 @@ interface(`rsync_write_config',`
type rsync_etc_t; type rsync_etc_t;
') ')
write_files_pattern($1, rsync_etc_t, rsync_etc_t) allow $1 rsync_etc_t:file read_file_perms;
files_search_etc($1) files_search_etc($1)
') ')

View File

@ -60,7 +60,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd #end for identd
read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) allow rsync_t rsync_etc_t:file read_file_perms;
allow rsync_t rsync_data_t:dir list_dir_perms; allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)

View File

@ -1,43 +1,5 @@
## <summary>Trivial file transfer protocol daemon</summary> ## <summary>Trivial file transfer protocol daemon</summary>
########################################
## <summary>
## Manage tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tftp_manage_tftpdir_dirs',`
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
## <summary>
## Manage tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tftp_manage_tftpdir_files',`
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read tftp content ## Read tftp content
@ -56,6 +18,26 @@ interface(`tftp_read_content',`
read_files_pattern($1, tftpdir_t, tftpdir_t) read_files_pattern($1, tftpdir_t, tftpdir_t)
') ')
########################################
## <summary>
## Manage tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tftp_manage_rw_content',`
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate

View File

@ -74,8 +74,8 @@ ifdef(`distro_redhat',`
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) /var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)

View File

@ -12,7 +12,7 @@
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)